buckeye Posted June 3, 2014 Share Posted June 3, 2014 <?php # Script 18.8 - login.php // This is the login page for the site. require ('includes/config.inc.php'); $page_title = 'Login'; include ('includes/header.html'); if ($_SERVER['REQUEST_METHOD'] == 'POST') { require (MYSQL); // Validate the email address: if (!empty($_POST['email'])) { $e = mysqli_real_escape_string ($dbc, $_POST['email']); } else { $e = FALSE; echo '<p class="error">You forgot to enter your email address!</p>'; } // Validate the password: if (!empty($_POST['pass'])) { $p = mysqli_real_escape_string ($dbc, $_POST['pass']); } else { $p = FALSE; echo '<p class="error">You forgot to enter your password!</p>'; } if ($e && $p) { // If everything's OK. include('includes/lib/password.php'); // Query the database: $q = "SELECT user_id, first_name, user_level FROM users WHERE (email='$e' AND pass='" . password_hash($p, PASSWORD_BCRYPT) . "') AND active IS NULL"; $r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc)); if (@mysqli_num_rows($r) == 1) { // A match was made. // Register the values: $_SESSION = mysqli_fetch_array ($r, MYSQLI_ASSOC); mysqli_free_result($r); mysqli_close($dbc); // Redirect the user: $url = BASE_URL . 'index1.php'; // Define the URL. ob_end_clean(); // Delete the buffer. header("Location: $url"); exit(); // Quit the script. } else { // No match was made. echo '<p class="error">Either the email address and password entered do not match those on file or you have not yet activated your account.</p>'; } } else { // If everything wasn't OK. echo '<p class="error">Please try again.</p>'; } mysqli_close($dbc); } // End of SUBMIT conditional. ?> <h1>Login</h1> <p>Your browser must allow cookies in order to log in.</p> <form action="login.php" method="post"> <fieldset> <p><b>Email Address:</b> <input type="text" name="email" size="20" maxlength="60" /></p> <p><b>Password:</b> <input type="password" name="pass" size="20" maxlength="20" /></p> <div align="center"><input type="submit" name="submit" value="Login" /></div> </fieldset> </form> <?php include ('includes/footer.html'); ?> include('includes/lib/password.php'); // Add the user to the database: $q = "INSERT INTO users (email, pass, first_name, last_name, active, registration_date) VALUES ('$e', '" . password_hash($p, PASSWORD_BCRYPT) . "', '$fn', '$ln', '$a', NOW() )"; $r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc)); I am trying to use the password_hash encryption technique for the Ch 18 example rather than SHA1. I was able to successfully register via changing the registration query (see second script, which includes 'lib/password.php' due to my version of Php). However, when I try to login (see top script), it indicates my password doesn't match what's on file. Is it possible something needs changed in the login's validation? Or have I possibly missed something else? Any help would be greatly appreciated. Link to comment Share on other sites More sharing options...
Larry Posted June 4, 2014 Share Posted June 4, 2014 It's great that you're switching to the password hashing library. But password verification cannot be done within the query now. Instead, you'll need to use password_verify() to verify the password. Link to comment Share on other sites More sharing options...
buckeye Posted June 4, 2014 Author Share Posted June 4, 2014 <?php # Script 18.8 - login.php // This is the login page for the site. require ('includes/config.inc.php'); $page_title = 'Login'; include ('includes/header.php'); if ($_SERVER['REQUEST_METHOD'] == 'POST') { require (MYSQL); // Validate the email address: if (!empty($_POST['email'])) { $e = mysqli_real_escape_string ($dbc, $_POST['email']); } else { $e = FALSE; echo '<p class="error">You forgot to enter your email address!</p>'; } // Validate the password: if (!empty($_POST['pass'])) { $p = mysqli_real_escape_string ($dbc, $_POST['pass']); } else { $p = FALSE; echo '<p class="error">You forgot to enter your password!</p>'; } if ($e && $p) { // If everything's OK. include('includes/lib/password.php'); $hash=password_hash($p, PASSWORD_BCRYPT); if (password_verify($pass, $hash)) { // Correct! // Query the database: $q = "SELECT user_id, first_name, user_level FROM users WHERE (email='$e' AND pass='$p') AND active IS NULL"; $r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc)); } if (@mysqli_num_rows($r) == 1) { // A match was made. // Register the values: $_SESSION = mysqli_fetch_array ($r, MYSQLI_ASSOC); mysqli_free_result($r); mysqli_close($dbc); // Redirect the user: $url = BASE_URL . 'index2014.php'; // Define the URL. ob_end_clean(); // Delete the buffer. header("Location: $url"); exit(); // Quit the script. } else { // No match was made. echo '<p class="error">Either the email address and password entered do not match those on file or you have not yet activated your account.</p>'; } } else { // If everything wasn't OK. echo '<p class="error">Please try again.</p>'; } mysqli_close($dbc); } // End of SUBMIT conditional. ?> <h1>Login</h1> <p>Your browser must allow cookies in order to log in.</p> <form action="login.php" method="post"> <fieldset> <p><b>Email Address:</b> <input type="text" name="email" size="20" maxlength="60" /></p> <p><b>Password:</b> <input type="password" name="pass" size="20" maxlength="20" /></p> <div align="center"><input type="submit" name="submit" value="Login" /></div> </fieldset> </form> <?php include ('includes/footer.php'); ?> Thank you for your response! I've read back through the applicable sections of both the Effortless E-Commerce 2nd and Php & MySQL 4th Edition, along with the php manual and believe I have the syntax for password_verify correct. However, I am still getting the response "E-mail or password do match what's on file..." Could it be a misplaced } ? Code is included. Thanks for your help. Link to comment Share on other sites More sharing options...
buckeye Posted June 5, 2014 Author Share Posted June 5, 2014 // Query the database: $q = "SELECT * FROM users WHERE email='$e' AND active IS NULL"; $r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc)); } include('includes/lib/password.php'); $hash=password_hash($p, PASSWORD_BCRYPT); if (password_verify($pass, $hash)) { // Correct! Thought I had this figured out. The logic in the previous response (though it included the password_verify) was incorrect. This modified excerpt of the script allows login (by checking for e-mail) but is not checking password. Any suggestions would be appreciated. Link to comment Share on other sites More sharing options...
Larry Posted June 6, 2014 Share Posted June 6, 2014 This second bit of code is essentially what you should be doing: first select the user ID, password, and other information, using the email address (if active). Then provide that stored password to the password_verify() function, comparing with the just submitted password. Link to comment Share on other sites More sharing options...
Recommended Posts